A new cross-platform malware botnet named ‘MCCrash’ is infecting Windows, Linux, and IoT devices to conduct distributed denial of service attacks on Minecraft servers.
The botnet was discovered by Microsoft’s Threat Intelligence team, who report that once it infects a device, it can self-spread to other systems on the network by brute-forcing SSH credentials.
“Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites,” explains the new report by Microsoft.
Currently, most of the devices infected by MCCrash are located in Russia, but there are also victims in Mexico, Italy, India, Kazakhstan, and Singapore.
MCCrash victims heatmap (Microsoft)
Minecraft servers are often targets of DDoS attacks, whether to grief players on the server or as part of an extortion demand.
In October 2022, Cloudflare reported mitigating a record-breaking 2.5 Tbbs DDoS attack targeting Wynncraft, one of the largest Minecraft servers in the world.
Starts with pirated software
Microsoft says that devices are initially infected with MCCrash after users install fake Windows product activator tools and trojanized Microsoft Office license activators (KMS tools).
The cracking tools contain malicious PowerShell code that downloads a file named ‘svchosts.exe,’ which launches ‘malicious.py,’ the primary botnet payload.
Attack methods in malicious.py script
MCCrash then attempts to spread to other devices on the network by performing brute-force SSH attacks on IoT and Linux devices.
“The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices.
Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet.
The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.” – Microsoft.
The malicious Python file can run on both Windows and Linux environments. Upon the first launch, it establishes a TCP communication channel with the C2 over port 4676 and sends basic host information, like what system it’s running on.
On Windows, MCCrash establishes persistence by adding a Registry value to the “SoftwareMicrosoftWindowsCurrentVersionRun” key, with the executable as its value.
The botnet’s infection and attack chain (Microsoft)
Attacking Minecraft servers
The botnet receives encrypted commands from the C2 server based on the OS type identified in the initial communication.
The C2 will then send one of the following commands back to the infected MCCrash device to execute:
Commands the C2 sends to MCCrash (Microsoft)
Most of the above commands specialize in DDoS attacks on Minecraft servers, with ‘ATTACK_MCCRASH’ being the most notable due to using a novel method to crash the target server.
According to Microsoft, threat actors created the botnet to target Minecraft server version 1.12.2, but all server versions from 1.7.2 and up to 1.18.2 are also vulnerable to attacks.
Minecraft server version market share (Microsoft)
Version 1.19, released in 2022, isn’t impacted by the current implementation of the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE], and ATTACK_MCDATA commands.
Still, a considerable number of Minecraft servers are running on older versions, most of them located in the United States, Germany, and France.
Vulnerable Minecraft server distribution (Microsoft)
“The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected,” comments Microsoft.
To protect your IoT devices from botnets, keep their firmware up to date, change default credentials with a strong (long) password, and disable SSH connections if they’re not needed.